SecurID tokens compromised, company admits

RSA Security has offered to replace up to 40 million SecurID tokens — devices used to securely log in to a computer — after hackers stole information that compromised them, the company’s chairman said Monday.

The unprecedented offer to more than 30,000 companies and government agencies worldwide follows the company’s disclosure in March of “an extremely sophisticated” cyber attack on its systems. The attack resulted in the theft of valuable data related to SecurID, which could be used to launch a broader attack against a corporation using the tokens.

“Certain characteristics of the attack on RSA indicated that the perpetrator’s most likely motive was to obtain an element of security information that could be used to target defense secrets” and related intellectual property, rather than financial gain or users’ personal information, RSA Chairman Art Coviello said in an open letter to SecurID customers.

Last week, Bethesda-based Lockheed Martin, a major defense contractor, became the first corporation to acknowledge that its systems were breached, in part because of the compromised tokens. It has stated that its systems are “secure.”

The tokens are in wide use among defense contractors. Lockheed has begun to replace all its 45,000 SecurID devices, but that step may not be enough for companies, some security experts and industry officials fear, since the attacker who stole the RSA data may have already penetrated some networks.

What has stunned industry and some government officials alike is that SecurID was considered the gold standard in security. The device features “two-factor” authentication, requiring a user to enter both his password and a random six-digit number, generated every 60 seconds by the token, to log into a network.

“What RSA was really selling was confidence,” said one U.S. official, who was not authorized to speak for the record. “Their message was, ‘Use SecurID — it’s the standard in the industry,’ and at the same time, RSA’s back door was unlatched.”

The bottom line, the official said, is “we could have had significant losses and just don’t know it.”

Deputy Defense Secretary William J. Lynn has said that the threat to intellectual property may be the “most significant cyber threat” facing the United States over the long term. It is estimated that $1 trillion worth of intellectual property is stolen annually through computer network breaches.

The Pentagon “does not rely heavily” on RSA’s SecurID tokens, and the impact on the department “has been minimal,” spokeswoman Lt. Col. April Cunningham said.

Some firms are weighing whether to switch security vendors, said one industry official, who was not authorized to speak for the record.

RSA, which is a division of EMC, also has offered to provide extra anti-fraud detection technology to customers, typically those that focus on Web-based financial transactions.

The past several weeks have seen a number of high-profile attacks on major firms such as Sony, Google, and e-mail marketer Epsilon. These incidents “point to a changing threat landscape and have heightened public awareness and customer concern,” Coviello said.